Cyber Incident Victim: Phetchabun Hospital

On or around September 7, 2021, Phetchabun Hospital in Thailand experienced a data breach involving the theft of personal details belonging to more than 10,000 patients. Initial reports circulated on social media claimed a significantly larger compromise, alleging that data from 16 million patients under Thailand’s Public Health Ministry had been hacked and offered for sale. These claims prompted a public response from Phetchabun Governor Krit Kongmuang, who sought to address the allegations while minimizing their severity. Hospital and government officials explicitly downplayed the incident, characterizing the stolen patient information as “not important” in public statements. The breach disclosure followed a pattern where authorities initially contested the scale and sensitivity of the exposed data.

Subsequent revelations confirmed that health information was included in the compromised data set, contradicting early official assertions about the data’s lack of significance. The incident drew attention to the risks of downplaying cybersecurity breaches, as the hospital’s initial response was followed by acknowledgments of broader data exposure. While the exact attack vector and intrusion timeline were not detailed in available reports, the breach impacted at least 10,000 individuals’ personal and medical records. Public statements focused on reputational damage control rather than technical remediation steps, containment measures, or forensic findings. The discrepancy between social media reports of 16 million affected patients and the confirmed 10,000 cases from Phetchabun Hospital created public confusion about the incident’s scope. No additional information was provided regarding data recovery, ransom demands, or law enforcement involvement in the breach response.